From c8ee832c1154bb9c2b4647dffc2cb491dc896c1c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 29 Sep 2023 19:25:30 +0100 Subject: [PATCH] feat(profile): general update --- apparmor.d/groups/apps/dropbox | 2 +- apparmor.d/groups/children/child-open | 3 +++ apparmor.d/groups/gnome/evolution-alarm-notify | 2 ++ apparmor.d/groups/gnome/gnome-system-monitor | 6 +++--- apparmor.d/groups/systemd/systemd-udevd | 3 +++ apparmor.d/groups/virt/cockpit-bridge | 7 ++++++- apparmor.d/groups/virt/cockpit-session | 3 ++- apparmor.d/profiles-a-f/agetty | 2 -- apparmor.d/profiles-a-f/dkms | 1 + apparmor.d/profiles-a-f/file-roller | 16 ++++++++++------ apparmor.d/profiles-g-l/hw-probe | 2 ++ apparmor.d/profiles-g-l/logrotate | 4 +--- apparmor.d/profiles-g-l/lscpu | 18 ++++++++---------- apparmor.d/profiles-m-r/quiterss | 2 +- apparmor.d/profiles-m-r/run-parts | 7 +++++++ apparmor.d/profiles-s-z/snap | 4 ++-- apparmor.d/profiles-s-z/snap-failure | 2 +- apparmor.d/profiles-s-z/snapd | 6 +++--- apparmor.d/profiles-s-z/spotify | 1 + apparmor.d/profiles-s-z/sudo | 1 + apparmor.d/profiles-s-z/transmission-gtk | 1 + apparmor.d/profiles-s-z/udisksd | 7 ++++++- apparmor.d/profiles-s-z/update-cracklib | 1 + 23 files changed, 66 insertions(+), 35 deletions(-) diff --git a/apparmor.d/groups/apps/dropbox b/apparmor.d/groups/apps/dropbox index 9c7321f6..f4275e7f 100644 --- a/apparmor.d/groups/apps/dropbox +++ b/apparmor.d/groups/apps/dropbox @@ -108,7 +108,7 @@ profile dropbox @{exec_path} { owner /tmp/dropbox-antifreeze-* rw, owner /tmp/[a-zA-z0-9]* rw, owner /tmp/#@{int} rw, - owner /var/tmp/etilqs_* rw, + owner /var/tmp/etilqs_@{hex} rw, @{run}/systemd/users/@{uid} r, diff --git a/apparmor.d/groups/children/child-open b/apparmor.d/groups/children/child-open index 63aebdce..b0ff2d7e 100644 --- a/apparmor.d/groups/children/child-open +++ b/apparmor.d/groups/children/child-open @@ -67,6 +67,7 @@ profile child-open { @{bin}/discord{,-ptb} rPx, @{bin}/draw.io rPUx, @{bin}/dropbox rPx, + @{bin}/element-desktop rPx, @{bin}/engrampa rPx, @{bin}/eog rPUx, @{bin}/evince rPx, @@ -74,6 +75,7 @@ profile child-open { @{bin}/filezilla rPx, @{bin}/flameshot rPx, @{bin}/geany rPx, + @{bin}/gimp* rPUx, @{bin}/gnome-calculator rPUx, @{bin}/gnome-disk-image-mounter rPx, @{bin}/gnome-disks rPx, @@ -84,6 +86,7 @@ profile child-open { @{bin}/qpdfview rPx, @{bin}/smplayer rPx, @{bin}/spacefm rPx, + @{bin}/steam-runtime rPUx, @{bin}/teams rPUx, @{bin}/telegram-desktop rPx, @{bin}/thunderbird rPx, diff --git a/apparmor.d/groups/gnome/evolution-alarm-notify b/apparmor.d/groups/gnome/evolution-alarm-notify index 458b3738..c338ae67 100644 --- a/apparmor.d/groups/gnome/evolution-alarm-notify +++ b/apparmor.d/groups/gnome/evolution-alarm-notify @@ -28,5 +28,7 @@ profile evolution-alarm-notify @{exec_path} { /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/*ubuntu/applications/ r, + /etc/timezone r, + include if exists } diff --git a/apparmor.d/groups/gnome/gnome-system-monitor b/apparmor.d/groups/gnome/gnome-system-monitor index be5bcf3d..dae3880f 100644 --- a/apparmor.d/groups/gnome/gnome-system-monitor +++ b/apparmor.d/groups/gnome/gnome-system-monitor @@ -46,9 +46,9 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { @{run}/systemd/sessions/* r, @{run}/systemd/sessions/*.ref r, - @{sys}/devices/@{pci}/{,*/}net/*/statistics/collisions r, - @{sys}/devices/@{pci}/{,*/}net/*/statistics/rx_{bytes,errors,packets} r, - @{sys}/devices/@{pci}/{,*/}net/*/statistics/tx_{bytes,errors,packets} r, + @{sys}/devices/@{pci}/net/*/statistics/collisions r, + @{sys}/devices/@{pci}/net/*/statistics/rx_{bytes,errors,packets} r, + @{sys}/devices/@{pci}/net/*/statistics/tx_{bytes,errors,packets} r, @{sys}/devices/@{pci}/usb@{int}/**/net/*/statistics/collisions r, @{sys}/devices/@{pci}/usb@{int}/**/net/*/statistics/rx_{bytes,errors,packets} r, @{sys}/devices/@{pci}/usb@{int}/**/net/*/statistics/tx_{bytes,errors,packets} r, diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index 2babbc19..7ae92f1e 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -38,11 +38,14 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) { @{bin}/{,ba,da}sh rix, @{bin}/{,e}grep rix, @{bin}/*-print-pci-ids rix, + @{bin}/alsactl rPUx, @{bin}/cat rix, @{bin}/chgrp rix, @{bin}/chmod rix, @{bin}/cut rix, @{bin}/dmsetup rPUx, + @{bin}/ethtool rix, + @{bin}/kmod rPx, @{bin}/ln rix, @{bin}/logger rix, @{bin}/lvm rPx, diff --git a/apparmor.d/groups/virt/cockpit-bridge b/apparmor.d/groups/virt/cockpit-bridge index c28a667b..3238477b 100644 --- a/apparmor.d/groups/virt/cockpit-bridge +++ b/apparmor.d/groups/virt/cockpit-bridge @@ -18,6 +18,7 @@ profile cockpit-bridge @{exec_path} { capability dac_read_search, capability net_admin, capability sys_nice, + capability sys_ptrace, network inet dgram, network inet stream, @@ -55,9 +56,12 @@ profile cockpit-bridge @{exec_path} { @{run}/user/@{uid}/ssh-agent.[0-9A-Z]* rw, @{run}/utmp r, + @{sys}/class/hwmon/ r, @{sys}/devices/**/hwmon@{int}/ r, @{sys}/devices/**/hwmon@{int}/{name,temp*} r, - @{sys}/fs/cgroup/*.slice/**/memory* r, + @{sys}/fs/cgroup/**/ r, + @{sys}/fs/cgroup/**/cpu.{stat,weight} r, + @{sys}/fs/cgroup/**/memory* r, @{PROC}/ r, @{PROC}/@{pids}/cgroup r, @@ -68,6 +72,7 @@ profile cockpit-bridge @{exec_path} { @{PROC}/diskstats r, @{PROC}/loadavg r, @{PROC}/uptime r, + owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/virt/cockpit-session b/apparmor.d/groups/virt/cockpit-session index 644df827..83311f10 100644 --- a/apparmor.d/groups/virt/cockpit-session +++ b/apparmor.d/groups/virt/cockpit-session @@ -29,10 +29,11 @@ profile cockpit-session @{exec_path} flags=(attach_disconnected) { @{lib}/cockpit/cockpit-pcp rPx, @{etc_ro}/environment r, + @{etc_ro}/security/limits.d/{,*.conf} r, + /etc/cockpit/disallowed-users r, /etc/group r, /etc/motd r, /etc/motd.d/ r, - @{etc_ro}/security/limits.d/{,*.conf} r, /etc/shells r, @{run}/faillock/[a-zA-z0-9]* rwk, diff --git a/apparmor.d/profiles-a-f/agetty b/apparmor.d/profiles-a-f/agetty index 8310841c..7a554592 100644 --- a/apparmor.d/profiles-a-f/agetty +++ b/apparmor.d/profiles-a-f/agetty @@ -23,8 +23,6 @@ profile agetty @{exec_path} { @{bin}/login rPx, - /usr/share/subiquity/console-conf-wrapper rPx, # only:core22 - @{etc_rw}/issue r, /{,usr/}lib/os-release r, /{etc,run,lib,usr/lib}/issue r, diff --git a/apparmor.d/profiles-a-f/dkms b/apparmor.d/profiles-a-f/dkms index 971d587e..8216ccbc 100644 --- a/apparmor.d/profiles-a-f/dkms +++ b/apparmor.d/profiles-a-f/dkms @@ -63,6 +63,7 @@ profile dkms @{exec_path} flags=(attach_disconnected) { @{lib}/modules/*/build/scripts/** rix, @{lib}/modules/*/build/tools/objtool/objtool rix, + /var/lib/dkms/**/build/* rix, /var/lib/dkms/**/configure rix, /var/lib/dkms/**/dkms.postbuild rix, diff --git a/apparmor.d/profiles-a-f/file-roller b/apparmor.d/profiles-a-f/file-roller index 671333b6..5269c450 100644 --- a/apparmor.d/profiles-a-f/file-roller +++ b/apparmor.d/profiles-a-f/file-roller @@ -14,8 +14,12 @@ profile file-roller @{exec_path} { include include include + include + include + include include include + include dbus bind bus=session name=org.gnome.ArchiveManager1, @@ -25,16 +29,16 @@ profile file-roller @{exec_path} { # Archivers @{bin}/7z rix, - @{lib}/p7zip/7z rix, - @{bin}/unrar-nonfree rix, - @{bin}/zip rix, - @{bin}/unzip rix, - @{bin}/tar rix, - @{bin}/xz rix, @{bin}/bzip2 rix, @{bin}/cpio rix, @{bin}/gzip rix, + @{bin}/tar rix, + @{bin}/unrar-nonfree rix, + @{bin}/unzip rix, + @{bin}/xz rix, + @{bin}/zip rix, @{bin}/zstd rix, + @{lib}/p7zip/7z rix, /usr/share/themes/{,**} r, /usr/share/X11/xkb/{,**} r, diff --git a/apparmor.d/profiles-g-l/hw-probe b/apparmor.d/profiles-g-l/hw-probe index b5230110..22c03f82 100644 --- a/apparmor.d/profiles-g-l/hw-probe +++ b/apparmor.d/profiles-g-l/hw-probe @@ -191,6 +191,7 @@ profile hw-probe @{exec_path} { @{sys}/devices/**/uevent r, @{run}/udev/data/* r, + include if exists } profile kmod { @@ -205,6 +206,7 @@ profile hw-probe @{exec_path} { @{sys}/module/*/{coresize,refcnt} r, @{sys}/module/*/holders/ r, + include if exists } profile netconfig { diff --git a/apparmor.d/profiles-g-l/logrotate b/apparmor.d/profiles-g-l/logrotate index 5bf5c861..83b53d68 100644 --- a/apparmor.d/profiles-g-l/logrotate +++ b/apparmor.d/profiles-g-l/logrotate @@ -17,11 +17,9 @@ profile logrotate @{exec_path} flags=(attach_disconnected) { capability dac_read_search, capability fowner, capability fsetid, + capability net_admin, capability setgid, capability setuid, - capability net_admin, - - audit deny capability net_admin, signal (send) set=(hup), signal (send) set=(term cont) peer=systemd-tty-ask-password-agent, diff --git a/apparmor.d/profiles-g-l/lscpu b/apparmor.d/profiles-g-l/lscpu index 102025b3..48f318c7 100644 --- a/apparmor.d/profiles-g-l/lscpu +++ b/apparmor.d/profiles-g-l/lscpu @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2021-2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -13,22 +14,19 @@ profile lscpu @{exec_path} { @{exec_path} mr, - @{PROC}/ r, - @{PROC}/sys/kernel/osrelease r, - @{PROC}/bus/pci/devices r, - @{sys}/devices/system/cpu/{,**} r, - - @{sys}/firmware/dmi/tables/DMI r, - - @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node@{int}/cpumap r, + @{sys}/firmware/dmi/tables/DMI r, + @{sys}/kernel/cpu_byteorder r, - owner @{sys}/kernel/cpu_byteorder r, + @{PROC}/ r, + @{PROC}/bus/pci/devices r, + @{PROC}/sys/kernel/osrelease r, /dev/tty@{int} rw, - + + deny network unix stream, include if exists } diff --git a/apparmor.d/profiles-m-r/quiterss b/apparmor.d/profiles-m-r/quiterss index 2179eb5b..c7443259 100644 --- a/apparmor.d/profiles-m-r/quiterss +++ b/apparmor.d/profiles-m-r/quiterss @@ -67,7 +67,7 @@ profile quiterss @{exec_path} { owner /tmp/qtsingleapp-quiter-[0-9]*-[0-9]* rw, owner /tmp/qtsingleapp-quiter-[0-9]*-[0-9]*-lockfile rwk, - owner /var/tmp/etilqs_* rw, + owner /var/tmp/etilqs_@{hex} rw, # Allowed apps to open @{lib}/firefox/firefox rPUx, diff --git a/apparmor.d/profiles-m-r/run-parts b/apparmor.d/profiles-m-r/run-parts index 088b93b9..f406d4da 100644 --- a/apparmor.d/profiles-m-r/run-parts +++ b/apparmor.d/profiles-m-r/run-parts @@ -129,6 +129,12 @@ profile run-parts @{exec_path} { /etc/kernel/prerm.d/ r, /etc/kernel/prerm.d/dkms rCx -> kernel, + /usr/share/finalrd/ r, + /usr/share/finalrd/mdadm.finalrd rPUx, + /usr/share/finalrd/open-iscsi.finalrd rPUx, + + /usr/share/landscape/landscape-sysinfo.wrapper rPUx, + owner /tmp/#@{int} rw, owner /tmp/$anacron* rw, owner /tmp/file@{rand6} ra, @@ -203,6 +209,7 @@ profile run-parts @{exec_path} { @{bin}/dkms rPx, @{bin}/dpkg rPx -> child-dpkg, @{bin}/systemd-detect-virt rPx, + @{bin}/update-alternatives rPx, @{bin}/update-grub rPUx, @{bin}/update-initramfs rPx, @{lib}/dkms/dkms_autoinstaller rPx, diff --git a/apparmor.d/profiles-s-z/snap b/apparmor.d/profiles-s-z/snap index 3b510c1b..0cbb8e37 100644 --- a/apparmor.d/profiles-s-z/snap +++ b/apparmor.d/profiles-s-z/snap @@ -51,8 +51,8 @@ profile snap @{exec_path} { /snap/{,**} rw, # @{lib_dirs}/snap-confine rPx -> /usr/lib/snapd/snap-confine, - @{lib_dirs}/snapd/snap-seccomp rPx -> snap-seccomp, - @{lib_dirs}/snapd/snapd rPx -> snapd, + @{lib_dirs}/snapd/snap-seccomp rPx, + @{lib_dirs}/snapd/snapd rPx, /etc/fstab r, diff --git a/apparmor.d/profiles-s-z/snap-failure b/apparmor.d/profiles-s-z/snap-failure index 0e002663..ee993439 100644 --- a/apparmor.d/profiles-s-z/snap-failure +++ b/apparmor.d/profiles-s-z/snap-failure @@ -15,7 +15,7 @@ profile snap-failure @{exec_path} { @{exec_path} mr, @{bin}/systemctl rPx -> child-systemctl, - @{lib_dirs}/snapd/snapd rPx -> snapd, + @{lib_dirs}/snapd/snapd rPx, /var/lib/snapd/sequence/snapd.json r, diff --git a/apparmor.d/profiles-s-z/snapd b/apparmor.d/profiles-s-z/snapd index 1f89259b..8e2f2ae9 100644 --- a/apparmor.d/profiles-s-z/snapd +++ b/apparmor.d/profiles-s-z/snapd @@ -92,9 +92,9 @@ profile snapd @{exec_path} { @{lib_dirs}/@{multiarch}/** mr, @{lib_dirs}/@{multiarch}/ld-*.so rix, @{lib_dirs}/snapd/apparmor_parser rPx -> apparmor_parser, - @{lib_dirs}/snapd/snap-discard-ns rPx -> snap-discard-ns, - @{lib_dirs}/snapd/snap-seccomp rPx -> snap-seccomp, - @{lib_dirs}/snapd/snap-update-ns rPx -> snap-update-ns, + @{lib_dirs}/snapd/snap-discard-ns rPx, + @{lib_dirs}/snapd/snap-seccomp rPx, + @{lib_dirs}/snapd/snap-update-ns rPx, /usr/share/bash-completion/{,**} r, /usr/share/dbus-1/{system,session}.d/{,snapd*} r, diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index 7ce53667..c6fb08ef 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -82,6 +82,7 @@ profile spotify @{exec_path} { owner @{PROC}/@{pid}/task/@{tid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/status r, + /dev/tty rw, owner /dev/shm/pulse-shm-@{int} r, deny @{user_share_dirs}/gvfs-metadata/* r, diff --git a/apparmor.d/profiles-s-z/sudo b/apparmor.d/profiles-s-z/sudo index c9d068ef..0280c78f 100644 --- a/apparmor.d/profiles-s-z/sudo +++ b/apparmor.d/profiles-s-z/sudo @@ -56,6 +56,7 @@ profile sudo @{exec_path} { @{lib}/** rPUx, @{lib}/sudo/** mr, + /opt/*/** rPUx, /snap/snapd/@{int}@{bin}/snap rPUx, @{etc_ro}/environment r, diff --git a/apparmor.d/profiles-s-z/transmission-gtk b/apparmor.d/profiles-s-z/transmission-gtk index 555d2fd7..0da33cf6 100644 --- a/apparmor.d/profiles-s-z/transmission-gtk +++ b/apparmor.d/profiles-s-z/transmission-gtk @@ -50,6 +50,7 @@ profile transmission-gtk @{exec_path} { @{run}/mount/utab r, @{PROC}/@{pid}/net/route r, + @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/comm r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/profiles-s-z/udisksd b/apparmor.d/profiles-s-z/udisksd index 703e65ee..3a20d615 100644 --- a/apparmor.d/profiles-s-z/udisksd +++ b/apparmor.d/profiles-s-z/udisksd @@ -136,12 +136,17 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { @{run}/cryptsetup/L* rwk, @{sys}/bus/ r, + @{sys}/bus/pci/slots/ r, @{sys}/class/ r, - @{sys}/devices/pci[0-9]*/**/{ata,usb,mmc}[0-9]/{,**/}remove rw, + @{sys}/class/nvme-subsystem/ r, + @{sys}/class/nvme/ r, @{sys}/devices/pci[0-9]*/**/{ata,usb,mmc,virtio}[0-9]/{,**/}uevent w, + @{sys}/devices/pci[0-9]*/**/{ata,usb,mmc}[0-9]/{,**/}remove rw, @{sys}/devices/virtual/bdi/**/read_ahead_kb r, @{sys}/devices/virtual/block/*/{,**} rw, @{sys}/devices/virtual/block/loop[0-9]*/uevent rw, + @{sys}/devices/virtual/dmi/id/product_uuid r, + @{sys}/devices/virtual/nvme-subsystem/{,**} r, @{sys}/fs/ r, @{PROC}/cmdline r, diff --git a/apparmor.d/profiles-s-z/update-cracklib b/apparmor.d/profiles-s-z/update-cracklib index 891e0742..0d81dca5 100644 --- a/apparmor.d/profiles-s-z/update-cracklib +++ b/apparmor.d/profiles-s-z/update-cracklib @@ -22,6 +22,7 @@ profile update-cracklib @{exec_path} { @{bin}/grep rix, @{bin}/gzip rix, @{bin}/install rix, + @{bin}/install rix, @{bin}/sort rix, @{bin}/tr rix,